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Description 

"Central exchange for IP monitoring" 

5 The invention relates to methods and devices for enabling data 
transmitted over a public land mobile network to be monitored. 

In the mobile radio interception device according to 
US2002/078384 Al, each lawful interception gateway (LIG) knows 
10 the address of each LEA in order to transmit intercepted user 
data packets to the LEA via the LIG interface X3 . 

A means of monitoring calls between mobile radio users that is 
known to the person skilled in the art, as illustrated in 

15 Figure 1, provides that the communication (conversations or 

multimedia data transmission) between two mobile radio users of 
one or more public land mobile networks is monitored in that 
the user data transmitted between the mobile radio users, while 
on its way "through (at least) one public land mobile network, 

20 is copied in a switching device (for example SGSN) which has 
stored a list containing identities of users subject to call- 
tapping (MSISDN and/or IMSI and/or IMEI) and the copied user 
data is transmitted via an interface (== border gateway) to 
monitoring devices belonging to the secret intelligence 

25 services, federal border police, police, etc. Since there are a 
number of government agencies in a number of local offices that 
can be responsible for monitoring mobile radio users, the 
copied data is transmitted by switching devices which copy the 
data to be intercepted to further switching devices (border 

30 gateways) at network gateways of the public land mobile 

network, which gateways each set up a secure connection, such 
as, for example, an IPsec tunnel over the Internet etc., to one 
of the listening stations LEA (of the police or the federal 
border police, etc.), via which secure connection the data is 
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transmitted in encrypted form to the listening station 
responsible. As the exchanges carrying out the transmission to 
the listening stations LEA at borders of a public land mobile 
network are to be provided at least once per public land mobile 
network and the transmission is performed separately to each 



AMENDED SHEET 



WO' 2004/006553 



PCT/EP2002/007303 



2 

listening station LEA, a key management means is required in 
each of these interface switching devices (border gateways) for 
each of the listening stations. 

The object of the present invention is to enable the monitoring 
of data to be intercepted which is associated with users of a 
public land mobile network in an efficient and reliable manner. 
This object is achieved in each case by the subject matter of 
the independent claims. 

The inventive monitoring handling device {== Central 
Interception Handler CIH) via which data to be intercepted is 
transmitted to listening stations of the different government 
agencies responsible considerably simplifies key management 
compared with the previously practised solution of individual 
connections from listening stations LEA to interface switching 
devices (border gateways) . Nevertheless the transmission of the 
intercepted data to the listening devices is still very secure 
and is also possible for example via the Internet, since (in an 
easy-to-administer manner according to the invention) an 
encrypted transmission can take place from the monitoring 
handling device CIH to the listening stations LEA. At the same 
time it is possible for only one monitoring handling device CIH 
to be used per public land mobile network or by a number of 
public land mobile networks, for example, or alternatively a 
plurality of monitoring handling devices can be used for one 
public land mobile network. 

Further features and advantages will emerge from the claims and 
the following description of an exemplary embodiment with 
reference to the drawing, in which: 

Figure 1 is a block diagram showing the monitoring of user 

data transmitted over a public land mobile network 
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according to the prior art having individual 
connections between switching devices (border 
gateways) and listening stations (LEA) on the side 
of competent government agencies in each case, 
5 Figure 2 is a block diagram showing the monitoring of data 

transmitted over a public land mobile network 
according to the invention having a central 
monitoring handling device CIH. 



10 Figure 1 is a block diagram showing a mobile radio terminal 
device 1 (a mobile station, a communicator etc.) which 
communicates with a further user (14) via an air interface 
transmission device (RNC or BS) 2 and via a switching device 
(VSGSN etc.) 3 of a first public land mobile network 4 and 

15 possibly a further public land mobile network or a fixed 

network or via an Internet access point over the Internet (http 
/ wap etc.). In the example shown in Figure 1 it is made 
possible for the competent government agencies in each case 
(police/federal border police/secret intelligence service 

20 etc.), each having a listening station LEA 6, 7, 8, 9, to 

monitor calls of users 1 over a public land mobile network 4 in 
such a way that data representing the call (or the multimedia 
transmission over the Internet, etc.) is identified (during 
registration or by monitoring of the data stream) on its way 

25 through the public land mobile network 4 by a switching device 
(SGSN or VSGSN or HSGSN or other exchange V) 3 (insofar as said 
data originates from devices or persons (1) to be monitored 
according to a list held in the exchange 3) and a copy of said 
data is transmitted to an interface switching device (border 

30 gateway) 11 which in turn transmits the copied data in a secure 
tunnel, for example an IPsec tunnel, to the competent 
government agency's listening station (bugging devices with 
computers or recording devices or telephone etc.) responsible 
for monitoring said user (1) or his terminal device. For this 
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purpose there is provided in each public land mobile network at 
least one interface switching device (border gateway) 11, 12 
which sets up a separate connection in each case to each of the 
listening stations 6 to 9 . 
5 As the transmission between the interface switching devices 
(border gateways) 11, 12 and the listening stations 7 to 9 is 
ideally to be executed in an intercept-proof manner, it takes 
place for example in encrypted form, with keys to be used for 
the transmission having to be administered separately in each 
10 switching device 11, 12 for each listening station 6 to 9 (key 
management) . 

According to Figure 2 the monitoring of data transmitted over a 
public land mobile network is supported by a monitoring 

15 handling device CIH 14 which considerably simplifies the key 
management for the secure (encrypted) transmission over a 
packet-switched network (for example by means of IPsec) . As 
already explained in relation to Figure 1, in the example shown 
in Figure 2 data (voice data or other user data) of a mobile 

20 radio user is also transmitted over a public land mobile 

network (or some other telecommunication network) by means of 
packet switching to a further telecommunication network (public 
land mobile network, or fixed network, or Internet, or other 
packet-switched network) . On its way through the 

25 telecommunication network 4 the data (data packets) is copied 
by a switching device (which has stored a table of users to be 
monitored) and the copies of the data are transmitted via a 
switching device (border gateway) to listening stations LEA. In 
the process, however, according to the invention a tunnel will 

30 be set up, not between the interface switching devices (border 
gateways 11, 12) and the listening stations 6, 7, 8, 9, but 
between the interface switching device 11 (or 12) and a central 
monitoring handling device CIH 14 which performs a secure 
transmission (for example using the Internet Protocol or in 
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some other packet-switched protocol over the Internet or 
another network) to the listening station 7 responsible for 
this user. For this purpose the monitoring device 14 has a 
table of addresses (IP addresses) of all the listening stations 
5 LEA 6, 7, 8, 9. 

In addition the monitoring handling device CIH 14 has a memory 
(or access to a memory) containing a list of keys, with at 
least one key being stored for a specific listening station LEA 

10 6/7/8/9 in each case, by means of which key the intercepted 

data is to be transmitted to this listening station 6/7/8/9 in 
encrypted form. In the example shown, the data is transmitted 
by the monitoring handling device 14 to the respective 
competent (at least one) listening station 6, 7, 8, 9 for all 

15 listening stations via the same packet-switched switching 
device (router V) 16. 

Advantageously according to the invention the address (IP 
address etc.) of the competent listening station LEA 6/7/8/9 
20 must be known only to the monitoring device CIH 14 and not to 

each interface switching device (border gateway) 11, 12 and the 
key management also only has to take place in the monitoring 
handling device 14 (Central Interception Handler CIH) . 

25 Necessary address translations are possible based on a list of 
the assignments in the CIH. 



The transmission of the data between the interface switching 
devices (border gateways) 11, 12 of a network takes place for 
30 example over a secure connection/IPsec tunnel between switching 
devices (border gateways) and the monitoring handling device 
14. The monitoring handling device CIH 14 can be part of the 
network in which one or all of the listening stations 6 to 9 
are disposed, in other words can be located in this network. 



